FreeBSD IPFW NAT and Jails

IPFW in FreeBSD has built-in support for NATing and the configuration syntax is same as that of natd. It took me quite some time to figure out how to NAT for jails while ensuring that certain jails can have public IPs.

Configure the nat on one of the IP addresses:

When using stateful firewall, the NAT rule for incoming traffic must appear before check-state:

Other rules (service ports) can be placed below this:

Then the NAT rule for outgoing traffic:

Notice above, I am NATing only traffic that comes from . I allocate jails an IP on that subnet (unless I need a public IP for the jail). If the source is not mentioned in the rule, it will NAT even public IPs!

And finally, the outgoing ports:

The catch here is that we jump to the NAT rule only if the traffic comes from . If the traffic is coming from somewhere else (for example, a public IP allocated to one of the jails), it will hit the second rule and directly allow it.

Make sure you have the rule to allow loX traffic if you have separate clone interfaces for each jail.

Final touches:

The firewall script ipfw.rules must to contain other rules for services, icmp, etc not mentioned here.
Everything working smoothly now – ip4 from private jails, ip4 and ip6 from others 😀


Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: